At 5:16 PM -0500 1/21/02, Will Rodger wrote:
Arnold says:
You can presumably write your own programs to decrypt your own
files. But if you provide that service to someone else you could
run afoul of the law as I read it. The DMCA prohibits trafficking
in technology that can be used to circumvent technological
protection measures. There is no language requiring proof than
anyone's copyright was violated. Traffic for hire and it's a
felony.
I think there's a good argument to the contrary.
The DMCA only bans trafficking in devices whose _primary_ purpose is
infringement.
No, DMCA bans trafficking in devices whose primary purpose is
*circumvention.* I'm not trying to nit pick, it's an important
point. DMCA creates a whole new class of proscribed activity,
circumvention, that does not require proof of infringement.
As for the phrase primary purpose, I can easily see a judge
accepting the argument that the primary purpose of a tool that breaks
encryption is circumvention as defined in this act. In the 2600 case,
the defense argued that DeCSS was also useful for playing purchased
DVDs on Linux machines and for fair use. The courts dismissed this
argument.
And it only applies to works protected by this Title, that is,
Title 17, which is the collection of laws pertaining to copyright.
Right, but just about everything written today is copyrighted from
the moment of creation. You have to go out of your way (or work for
the U.S. government) to place new works in the public domain.
There was a very long, drawn out discussion of what would be banned
and what not before passage. It included all sorts of people
traipsing up to Capitol Hill to make sure that ordinary research and
system maintenance, among other things, would not be prosecuted.
Bruce Schneier was among those who talked to the committees and was
satisfied, as I recall, that crypto had dodged a bullet. I'm not
saying that Bruce liked the bill, just that this particular fear was
lessened greatly, if not eliminated, by the language that finally
emerged.
I've heard that story as well. I don't know if he saw the final
language, how long he had to study it or what he based that opinion
on. Maybe there is some statement in the legislative history, which
is only what the legislators said about the bill, that might be
helpful in court. Absent that, we have to rely on what the law
actually says. Bruce's opinion of what the law means would carry no
weight in court.
Now a prosecutor probably wouldn't pursue the case of a
cryptographer who decoded messages on behalf of parents of some kid
involved in drugs or sex abuse. But what if the cryptographer was
told that and the data turned out to be someone else's? Or if the
kid was e-mailing a counselor about abuse by his parents? Or the
government really didn't like the cryptographer because of his
political views?
It all gets down to knowingly doing something, right? If our
cryptographer acted in good faith, he wouldn't be prosecuted -- the
person who set him up would be.
I see nothing in the law that exempts you from liability if you
didn't know you acted without authorization of the copyright holder.
There is a provision, 1203(c)(5), that lets a court reduce reducing
civil damages if you didn't know. That presumably does not apply to
the criminal provisions and prosecutors are notorious for doing
whatever it takes if they want to get someone. See, for example
http://www.nytimes.com/2002/01/21/nyregion/21CLEA.html
There is also the argument that Congress only intended to cover
tools for breaking content protections schemes like CSS and never
intended to cover general cryptanalysis. You might win with that
argument in court (I think you should), but expect a 7 digit legal
bill. And if you lose, we'll put up a Free Will web site.
No argument there!
As for the legal situation before the DMCA, the Supreme Court
issued a ruling last year in a case, Barniki v. Volper, of a
journalist who broadcast a tape he received of an illegally
intercepted cell phone conversation between two labor organizers.
The court ruled that the broadcast was permissible.
The journalist received the information from a source gratis.
That's different from paying for stolen goods, hiring someone to
eavesdrop, or breaking the law yourself. The First Amendment
covers a lot, in this case.
Correct. The Barniki opinion pointed out that the journalists were
not responsible for the interception. But journalists receive
purloined data from whistle-blowers all the time. Suppose in the
future it was one of those e-mail messages with a cryptographically
enforced expiration date? A journalist who broke that system might
be sued under DMCA. That possibility might not frighten the WSJ,
but what about smaller news organizations?
Fair enough. But what would the damages under copyright law be? They
generally correspond to a harm in the market for a certain kind of